Eighteen months after the announcement that the law on using cookies would be changing, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (you can read the full text here) have made it onto the UK statute book. They come into force today.

As expected the rules say that cookies will only be lawful where a user has consented to their being installed on his or her browser, and to their accessing information on the user’s device. This supersedes the old ‘notice and choice’ regime which required only that website operators provide basic information about how cookies would be used (not necessarily in advance) and then allowed users to refuse them.

We’ve known for some time (because the changes implement European law) what in broad terms the new rules would say. The key issue has always been the precise requirements for user consent (and, more practically, what this would mean for website operators and ad networks). The 2011 Regulations, together with guidance from the Information Commissioner (ICO) and the Department for Culture, Media and Sport (DCMS), show the government steering a difficult middle course by acknowledging that notice and choice mechanisms need to improve but at the same time trying to put forward practical and workable solutions for business.

At this point it’s helpful to remind ourselves where the consent debate now stands. The arguments essentially focus on two alternatives. The first, supported by the Article 29 Working Party (an influential committee of national regulators), suggests consent should meet the definition in the Data Protection Directive, i.e. be “freely given, specific and informed”. In practice most commentators agree this would probably require communication of quite granular information about all the cookies which might be triggered when visiting a website, with users then having to opt-in before a cookie could be used. This has raised concerns about the effect on users’ web surfing experience, not to mention its impact on the advertising industry.

The alternative is more pragmatic and takes its lead from Recital 66 of the Directive. This says: “ ... where it is technically possible and effective ... consent to processing may be expressed by using the appropriate settings of a browser ...”. DCMS has previously indicated the government’s preference for this second option, but on condition the behavioural targeting industry acts responsibly and develops workable self regulation. The Internet Advertising Bureau (IAB) and FEDMA (the Federation of European Direct and Interactive Marketing) have been promoting a self-regulatory framework which DCMS supports, featuring an ‘advertising option icon’ (pictured on the right) which appears, together with suitable disclosures, whenever a user’s mouse hovers over ads on sites which are served through behavioural targeting. The icon also enables direct access to a site, “Your Online Choices”, which allows users to opt-out of tracking (you can view the site here). DCMS also favours privacy policy notices and single consumer control pages.

So what do the 2011 Regulations say?

The key words are in section 6(3)(A): “consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent." On its face this seems to follow the pragmatic ‘Recital 66’ approach. However, both the ICO and DCMS have said that “current” browsers are not sophisticated enough to fulfill the requirement for “appropriate settings” as Recital 66 requires. In other words, browser settings as they exist today are either too difficult to find, too difficult to change, or just don’t give users enough control over what cookies can and can’t do.

You might well ask why the 2011 Regulations are couched in these terms if the government believes browser settings don’t meet the consent requirements even of Recital 66? DCMS plans to set up a working group to explore how more appropriate consent mechanisms can be built into browsers and has said solutions will be “phased in” gradually. It also said last month that “during this time we do not expect the ICO will take enforcement action against businesses and organisations that are working to address their use of cookies or are engaged in development work on browsers and/or other solutions.” So the message is clear that until appropriate browser solutions become available, companies which proactively audit current cookie use and start considering ways to enhance user notice and choice are unlikely to face enforcement action.

Be warned however that ICO guidance (which was also published last month and is available here) makes it clear the regulator expects organisations to devise a “realistic plan to achieve compliance… [The ICO] would handle this sort of [organisation] very differently… from an organisation which decides to avoid making any changes to current practice. The key point is that you cannot ignore these rules.” So businesses should not simply carry on as normal in the belief they need do nothing for the time being.

The ICO guidance in fact offers some alternatives for getting consent and suggests website operators may need to deploy a range of solutions depending on the nature of the cookies they use. It stresses the importance of transparency, both in relation to cookie use and also in the way users communicate their consent, e.g. through pop-up or tick boxes confirming agreement to new or amended terms and conditions. 

The guidance doesn’t preclude website operators from relying on implied consent in some circumstances, for example where a user requests language or location based services, provided the user is fully informed of the consequences. The more intrusive the cookie (e.g. if used to profile users based on browsing history) the greater the responsibility to provide clear information and choice.

One area where the guidance is largely silent is in relation to third party cookies (which in many cases will include cookies used to serve targeted advertising). It says only that “anyone whose website allows or uses third party cookies [should] make sure they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device”. This will be of little use to website operators but it reflects the government’s decision to stand behind industry moves to self-regulate and demonstrates that initiatives like the IAB self-regulatory framework are likely to be the default routes to compliance (you can view the IAB principles here). 

So, in short, we now have a sunrise period in the UK during which enforcement action should be avoidable if organisations take proactice measures to audit their systems and procedures. The immediate next question is how the rest of Europe will follow when other member states issue local laws in coming weeks...